spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Ensure ID Token is updated after refresh token (Reactive)

Open jgrandja opened this issue 7 months ago • 4 comments

We need to implement the Reactive counterpart of gh-16589.

jgrandja avatar May 30 '25 11:05 jgrandja

Hi @jgrandja, can you assign this one to me?

evgeniycheban avatar Jun 03 '25 14:06 evgeniycheban

Thank you @evgeniycheban. I've assigned it to you.

jgrandja avatar Jun 03 '25 15:06 jgrandja

Hi @jgrandja, I have opened a PR, I have some doubts about the correct implementation of this.

I have added a RefreshTokenReactiveOAuth2AuthorizationSuccessHandler that handles a SecurityContext refresh, however it depends on a ServerSecurityContextRepository which requires a ServerWebExchange, it will work for use within the context of a ServerWebExchange, but if we want to refresh a SecurityContext for those clients that are used outside of a ServerWebExchange context, we might need to think about having a different abstraction here, one thing that comes to mind is to bind an Authentication object to ClientRequest similar how it's proposed to be done in gh-16284, what do you think?

evgeniycheban avatar Jun 14 '25 13:06 evgeniycheban

Thanks for the PR @evgeniycheban. I will do my best to review this soon. The team has a few high priority items for the upcoming major releases of Spring Security 7.0 and Spring Authorization Server 2.0 so we need to focus on those items first. Thank you for your patience.

jgrandja avatar Jun 16 '25 14:06 jgrandja